EP4014459A1 - Systèmes et procédés d'authentification en ligne - Google Patents

Systèmes et procédés d'authentification en ligne

Info

Publication number
EP4014459A1
EP4014459A1 EP19941557.1A EP19941557A EP4014459A1 EP 4014459 A1 EP4014459 A1 EP 4014459A1 EP 19941557 A EP19941557 A EP 19941557A EP 4014459 A1 EP4014459 A1 EP 4014459A1
Authority
EP
European Patent Office
Prior art keywords
client device
user
authentication
processor
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
EP19941557.1A
Other languages
German (de)
English (en)
Other versions
EP4014459A4 (fr
Inventor
Carlos M. CU CASTRO
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Axos Bank
Original Assignee
Axos Bank
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Axos Bank filed Critical Axos Bank
Publication of EP4014459A1 publication Critical patent/EP4014459A1/fr
Publication of EP4014459A4 publication Critical patent/EP4014459A4/fr
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0861Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0838Network architectures or network communication protocols for network security for authentication of entities using passwords using one-time-passwords

Definitions

  • FIG. 1 shows a network according to an embodiment of the disclosure.
  • FIG. 2 shows a computing device according to an embodiment of the disclosure.
  • FIG. 3 shows an authentication method according to an embodiment of the disclosure.
  • FIGS. 4A and 4B show a secure wire transfer interface according to an embodiment of the disclosure.
  • FIG. 5 shows a secure wire transfer method according to an embodiment of the disclosure.
  • FIG. 1 shows a network 100 according to an embodiment of the disclosure.
  • computing devices may remotely connect to one another through a network 100 such as the Internet or other public and/or private networks.
  • Computing devices that may communicate using network 100 may include one or more client devices 102.
  • Client devices 102 may include, for example, dedicated client access devices (e.g., a personal computer configured to provide access to other devices in FIG. 1 and/or a thin client access workstation).
  • client devices 102 may be any computing devices that may be configured to perform the data communication functions described below, such as personal computers and/or laptops using Microsoft WindowsTM, Apple iOSTM, and/or other operating systems.
  • client devices 102 may communicate with one or more access points 108, which may use two-factor authentication services 112 and/or other authentication systems and methods to authenticate users of client devices 102.
  • access points 108 may be configured to provide access to VMWareTM Horizon ViewTM software or similar software and, in some embodiments, may be part of the VMWareTM Horizon ViewTM software or similar software package.
  • Authentication services 112 may be based on Rivest Shamir Aldeman (RSA) key soft token technology, lightweight directory access protocol (LDAP) technology, and/or other key generation systems.
  • RSA Rivest Shamir Aldeman
  • LDAP lightweight directory access protocol
  • authentication may be performed using biometrics.
  • client devices 102 may be equipped with facial scanning cameras, fingerprint readers, and/or other sensors. Client devices 102 may send biometric data of a user obtained by the sensors to access points 108, which may authenticate users who are recognized as legitimate users based on the biometric data.
  • client device 102 may connect to desktop virtualization system 116.
  • desktop virtualization system 116 may include one or more computers operating VMWareTM Horizon ViewTM software or similar software.
  • Desktop virtualization system 116 may provide a pool of virtual desktops 118. Client device 102 may connect an available virtual desktop 118 from the pool. Due to the authentication performed by access point 108 and authentication service 112, client device 102 may at this point be securely connected and authenticated to a secure computing environment provided by virtual desktop 118.
  • virtual desktop 118 may include a secure virtual browser that may be configured to connect with server 124 over network 100. Accordingly, a user of client device 102 may use virtual desktop 118 to authenticate to server 124 within the secure computing environment provided by virtual desktop 118. For example, this may be useful for embodiments wherein server 124 is configured to handle sensitive data.
  • server 124 may be an online banking server configured to perform online banking services for the user of client device 102 who has authenticated to server 124 through virtual desktop 118, for example.
  • connection between the devices described above may be provided and/or secured by various network hardware and/or software elements.
  • client device 102 and virtual desktop 118 may communicate using network 100 through respective routers 104 and 120 and/or other associated network equipment.
  • Sensitive data may be protected by providing external firewalls 106 and 122 between network 100 and access point 108 and server 124, respectively.
  • internal firewalls 110 and 114 may protect connections between access point 108 and authentication services 112 and desktop virtualization system 116, respectively.
  • the system arrangement of FIG. 1 may provide unique and specific features that may enhance security and connectivity. For example, through the combination of virtual and physical infrastructure elements illustrated in FIG. 1, some embodiments may improve authentication and communication security by gathering and processing sensitive user data (e.g., authentication data used to authenticate to server 124) in a computing environment which itself provides enhanced security. All applications that perform computing functions (e.g., banking functions) may be on server 124 side, so server 124 may be the only device in network 100 that processes sensitive data.
  • sensitive user data e.g., authentication data used to authenticate to server 12
  • All applications that perform computing functions e.g., banking functions
  • server 124 may be the only device in network 100 that processes sensitive data.
  • client device 102 may be configured only as an access point to the rest of the devices available through network 100 (e.g., desktop device 118 and/or server 124)
  • the system arrangement of FIG. 1 may prevent or reduce instances of malware being transmitted to the devices available through network 100 (e.g., desktop device 118 and/or server 124).
  • the user of client device 102 may not be presented with options to run software that can acquire malware either locally or at virtual desktop 118 (e.g., by being presented only with login options for connecting, ultimately, to server 124), and may therefore be restricted from obtaining malware that can be passed to server 124.
  • client device 102 may be configured or configurable to only provide functionality for connecting to other network 100 devices to the end user, with no other computing functions (e.g., other software packages) available for use, which may further prevent unwanted attacks or access attempts made through other software packages.
  • computing functions e.g., other software packages
  • FIG. 2 shows a computing device 200 according to an embodiment of the disclosure.
  • computing device 200 may function as one or more of the devices connected to network 100 described above, such as client device 102, access point 108, desktop device 118, server 124, and/or one or more of routers 104, 120 and/or firewalls 106, 110, 114, 122.
  • the computing device 200 may be implemented on any electronic device that runs software applications derived from compiled instructions, including without limitation personal computers, servers, smart phones, media players, electronic tablets, game consoles, email devices, etc.
  • the computing device 200 may include one or more processors 202, one or more input devices 204, one or more display devices 206, one or more network interfaces 208, and one or more computer-readable mediums 210. Each of these components may be coupled by bus 212, and in some embodiments, these components may be distributed among multiple physical locations and coupled by a network.
  • Display device 206 may be any known display technology, including but not limited to display devices using Liquid Crystal Display (LCD) or Light Emitting Diode (LED) technology.
  • Processor(s) 202 may use any known processor technology, including but not limited to graphics processors and multi-core processors.
  • Input device 204 may be any known input device technology, including but not limited to a keyboard (including a virtual keyboard), mouse, track ball, and touch-sensitive pad or display.
  • Bus 212 may be any known internal or external bus technology, including but not limited to ISA, EISA,
  • Computer-readable medium 210 may be any medium that participates in providing instructions to processor(s) 202 for execution, including without limitation, non-volatile storage media (e.g., optical disks, magnetic disks, flash drives, etc.), or volatile media (e.g., SDRAM, ROM, etc.).
  • non-volatile storage media e.g., optical disks, magnetic disks, flash drives, etc.
  • volatile media e.g., SDRAM, ROM, etc.
  • Computer-readable medium 210 may include various instructions 214 for implementing an operating system (e.g., Mac OS ® , Windows ® , Linux).
  • the operating system may be multi-user, multiprocessing, multitasking, multithreading, real-time, and the like.
  • the operating system may perform basic tasks, including but not limited to: recognizing input from input device 204; sending output to display device 206; keeping track of files and directories on computer-readable medium 210; controlling peripheral devices (e.g., disk drives, printers, etc.) which can be controlled directly or through an I/O controller; and managing traffic on bus 212.
  • Network communications instructions 216 may establish and maintain network connections (e.g., software for implementing communication protocols, such as TCP/IP, HTTP, Ethernet, telephony, etc.).
  • Authentication system instructions 218 may include instructions for performing the secure authentication processing described herein, for example one or more portions of processes 300 and/or 400 described below.
  • Application(s) 220 may be an application that uses or implements the processes described herein and/or other processes. The processes may also be implemented in operating system 214.
  • the described features may be implemented in one or more computer programs that may be executable on a programmable system including at least one programmable processor coupled to receive data and instructions from, and to transmit data and instructions to, a data storage system, at least one input device, and at least one output device.
  • a computer program is a set of instructions that can be used, directly or indirectly, in a computer to perform a certain activity or bring about a certain result.
  • a computer program may be written in any form of programming language (e.g., Objective-C, Java), including compiled or interpreted languages, and it may be deployed in any form, including as a stand-alone program or as a module, component, subroutine, or other unit suitable for use in a computing environment.
  • Suitable processors for the execution of a program of instructions may include, by way of example, both general and special purpose microprocessors, and the sole processor or one of multiple processors or cores, of any kind of computer.
  • a processor may receive instructions and data from a read-only memory or a random access memory or both.
  • the essential elements of a computer may include a processor for executing instructions and one or more memories for storing instructions and data.
  • a computer may also include, or be operatively coupled to communicate with, one or more mass storage devices for storing data files; such devices include magnetic disks, such as internal hard disks and removable disks; magneto-optical disks; and optical disks.
  • Storage devices suitable for tangibly embodying computer program instructions and data may include all forms of non-volatile memory, including by way of example semiconductor memory devices, such as EPROM, EEPROM, and flash memory devices; magnetic disks such as internal hard disks and removable disks; magneto-optical disks; and CD-ROM and DVD-ROM disks.
  • semiconductor memory devices such as EPROM, EEPROM, and flash memory devices
  • magnetic disks such as internal hard disks and removable disks
  • magneto-optical disks and CD-ROM and DVD-ROM disks.
  • the processor and the memory may be supplemented by, or incorporated in, ASICs (application-specific integrated circuits).
  • ASICs application-specific integrated circuits
  • the features may be implemented on a computer having a display device such as an LED or LCD monitor for displaying information to the user and a keyboard and a pointing device such as a mouse or a trackball by which the user can provide input to the computer.
  • input devices may include biometric sensors such as cameras that may scan faces and/or fingerprint sensors.
  • the features may be implemented in a computer system that includes a back-end component, such as a data server, or that includes a middleware component, such as an application server or an Internet server, or that includes a front-end component, such as a client computer having a graphical user interface or an Internet browser, or any combination thereof.
  • the components of the system may be connected by any form or medium of digital data communication such as a communication network. Examples of communication networks include, e.g., a telephone network, a LAN, a WAN, and the computers and networks forming the Internet.
  • the computer system may include clients and servers.
  • a client and server may generally be remote from each other and may typically interact through a network.
  • the relationship of client and server may arise by virtue of computer programs running on the respective computers and having a client- server relationship to each other.
  • An API may define one or more parameters that are passed between a calling application and other software code (e.g., an operating system, library routine, function) that provides a service, that provides data, or that performs an operation or a computation.
  • software code e.g., an operating system, library routine, function
  • the API may be implemented as one or more calls in program code that send or receive one or more parameters through a parameter list or other structure based on a call convention defined in an API specification document.
  • a parameter may be a constant, a key, a data structure, an object, an object class, a variable, a data type, a pointer, an array, a list, or another call.
  • API calls and parameters may be implemented in any programming language.
  • the programming language may define the vocabulary and calling convention that a programmer will employ to access functions supporting the API.
  • an API call may report to an application the capabilities of a device running the application, such as input capability, output capability, processing capability, power capability, communications capability, etc.
  • FIG. 3 shows an authentication method 300 according to an embodiment of the disclosure.
  • Some or all of the elements shown in FIG. 1 and communicating using network 100 may perform method 300 to securely authenticate a user of client device 102 with server 124 and/or to facilitate additional end-to-end communications between client device 102 and server 124.
  • internal elements such as the access point 108, authentication services 112, desktop virtualization system 116, and/or virtual desktop 118 may be secured (e.g., behind firewalls as described above) and may perform method 300.
  • Method 300 may provide a unique procedure for high-security communications that improves upon the security afforded by less rigorous authentication techniques.
  • client device 102 may receive client login data. For example, a user may log into client device 102 locally.
  • some embodiments may include client devices 102 set up so that a user is required to log into the device locally to continue. Examples may include Mac and/or PC devices which may prompt a user to log into the desktop locally. After logging in, the user may be able to initiate access point 108 connection functionality, or access point 108 connection functionality may be triggered automatically upon login. In other embodiments, such as when client device 102 is a thin client dedicated to providing access to access point 108 and further functions of process 300, no login may be required, and client device 102 may present access point 108 connection functionality without login. In some embodiments, the client login may time out after a period of time, which may safeguard against unauthorized users from accessing client device 102 functionality after authorized users leave client device 102 unattended.
  • client device 102 may connect to access point 108 through network 100.
  • access point 108 is an access point to a VMWareTM Florizon ViewTM system as described above
  • client device 102 may launch a VMWareTM Florizon ViewTM client and use the client to connect to access point 108.
  • access point 108 may request credentials from client device 102.
  • access point 108 may require the user to authenticate using a two-factor authentication procedure in some embodiments.
  • access point 108 may direct authentication services 122 to provide a soft token (such as a multi-character code, for example) to the user.
  • authentication services 122 may push or otherwise send a soft token to client device 102, or a user's personal device (e.g., a smart phone, tablet, laptop, personal computer, smart watch, etc.), or a combination thereof.
  • Access point 108 and/or authentication services 122 may request a one-time passcode from the user.
  • access point 108 and/or authentication services 122 may cause client device 102 to display instructions to the user to enter the one-time passcode and send it to access point 108 and/or authentication services 122 through network 100.
  • the one-time passcode may be the soft token.
  • the one-time passcode may be the soft token plus some additional information, such as a user-specific PIN and/or password.
  • access point 108 and/or authentication services 122 may receive token credentials, which may include the one-time passcode.
  • the user may enter the one-time passcode into a user interface field provided by client device 102 in response to receiving the request at 304.
  • the user may also enter a username, which may allow access point 108 to identify an account for which access is being requested, for example.
  • Client device 102 may send the one-time passcode, and username where applicable, to access point 108.
  • Access point 108 may pass control over to authentication services 122 in response to receiving the one-time passcode.
  • client device 102 may send the one-time passcode, and username where applicable, directly to authentication services 122.
  • Authentication services 122 may authenticate the one-time passcode.
  • access point 108 may require the user to authenticate using biometric data.
  • Client device 102 may be equipped with facial scanning cameras, fingerprint readers, and/or other sensors.
  • Client device 102 may display instructions for submitting biometric data (e.g., directing the user to look at a camera or place a finger on a fingerprint reader).
  • Client device 102 may gather biometric data using the sensor(s) and send the data, and username where applicable, to access point 108.
  • Access point 108 may have access to user registration data (e.g., previously obtained user facial scans, fingerprint scans, or other biometric data associated with the user's account in a registration process).
  • Access point 108 may analyze the biometric data from client device 102 to determine whether it matches the biometric data in the user registration data (e.g., corresponding to the username) for the user attempting to access server 124. If the biometric data from client device 102 is verified as belonging to the user, access point 108 may authenticate the user.
  • the biometric data from client device 102 is verified as belonging to the user, access point 108 may authenticate the user.
  • access point 108 may require an additional authentication factor, such as lightweight directory access protocol (LDAP) credentials, from the user. If so, access point 108 may request these additional credentials from client device 102 and authenticate them when they are received. For example, as with the token credentials, client device 102 may prompt for the LDAP credentials, the user may enter the LDAP credentials, and client device 102 may send the LDAP credentials to access point 108 for verification. In some embodiments, the access point login may time out after a period of time, which may safeguard against unauthorized users from accessing access point 108 functionality after authorized users leave client device 102 unattended.
  • LDAP lightweight directory access protocol
  • the user may be connected with a virtual desktop.
  • desktop virtualization system 116 may launch and/or select an available virtual desktop 118 and provide client device 102 with access to virtual desktop 118.
  • virtual desktop 118 may be a Microsoft Windows 10TM virtual desktop, for example, although virtual desktops 118 based on other operating systems may be used in some embodiments.
  • Virtual desktop 118 may provide access to a secure browser application. In some embodiments, virtual desktop 118 may be dedicated only to accessing the secure browser application, and may not provide any other applications to the user.
  • virtual desktop 118 may launch the secure browser application.
  • the secure browser application may be a virtual browser.
  • the secure browser application may be a dedicated application for accessing a particular server (e.g., server 124) or, in some embodiments, may be a general purpose browser.
  • Virtual desktop 118 may launch the secure browser application in response to a user command submitted through client device 102 to virtual desktop 118.
  • client device 102 may present a user interface showing the virtual desktop 118 user interface, which may include an icon or other selectable element that may cause virtual desktop 118 to launch the secure browser application in response to being clicked or otherwise selected.
  • virtual desktop 118 may automatically launch the secure browser application upon virtual desktop 118 launch.
  • the secure browser application running on virtual desktop 118 may request credentials from client device 102.
  • the secure browser application running on virtual desktop 118 may require the user to authenticate using a two-factor authentication procedure in some embodiments.
  • the secure browser application running on virtual desktop 118 may direct authentication services 122 to provide a soft token (such as a multi-character code, for example) to the user.
  • authentication services 122 may push or otherwise send a soft token to client device 102, or a user's personal device (e.g., a smart phone, tablet, laptop, personal computer, smart watch, etc.), or a combination thereof.
  • the secure browser application running on virtual desktop 118 and/or authentication services 122 may request a one-time passcode from the user.
  • the secure browser application running on virtual desktop 118 and/or authentication services 122 may cause client device 102 to display instructions to the user to enter the one-time passcode and send it to the secure browser application running on virtual desktop 118 108 and/or authentication services 122 through network 100.
  • the one-time passcode may be the soft token.
  • the one-time passcode may be the soft token plus some additional information, such as a user-specific PIN and/or password.
  • the credentials may be authenticated, allowing the user to access the secure browser application running on virtual desktop 118.
  • the secure browser application running on virtual desktop 118 may request credentials from client device 102 in order to access server 124.
  • a user interface provided in the secure browser application may be visible in the virtual environment that, in turn, may be displayed in a user interface of client device 102.
  • the user interface in the secure browser application may include fields for entering account credentials, such as a username and/or password for an account handled by server 124.
  • server 124 may be a banking server, and the user may enter a username and password for accessing a bank account.
  • the secure browser application running on virtual desktop 118 may receive the user's input of the credentials and provide the credentials to server 124.
  • Server 124 may authenticate the credentials and, if the credentials are successfully authenticated, provide access to secure information on server 124 through the secure browser application running on virtual desktop 118.
  • server 124 is a banking server
  • the user may then engage in any online banking activities, such as wire transfer, account modification, etc. through the secure environment provided by the combination of authentication actions performed in process 300.
  • process 300 may safeguard sensitive data stored by server 124 with much stronger protections than other authentication processes with fewer process elements and/or involving fewer hardware and/or software elements.
  • the server login may time out after a period of time, which may safeguard against unauthorized users from accessing server 124 functionality after authorized users leave client device 102 unattended.
  • the secure browser application may provide various functionality in addition to providing access to the secure information.
  • the secure browser application may provide functionality for facilitating secure wire transfers.
  • Bank account holders may use wire transfers to send money from their account to another account for any reason. Examples may include, but are not limited to, real estate settlements (escrow and title), trust payments, investment payments, auction payments, gambling payments, bankruptcy payments, etc.
  • real estate settlements escrow and title
  • trust payments investment payments
  • auction payments gambling payments
  • bankruptcy payments etc.
  • account holders sending money via wire transfer are frequent targets of fraud attempts, wherein others misrepresent themselves as the intended recipient of the money and provide wire transfer instructions that route the transfer to an account different from the account the sender intends.
  • the secure browser application may provide an interface allowing a genuine recipient to securely provide genuine wire transfer instructions to a sender.
  • FIGS. 4A and 4B show a secure wire transfer interface 400 according to an embodiment of the disclosure.
  • a user may use interface 400 to establish wire transfer instructions and trigger messages to client devices prompting users of the client devices to securely obtain the wire transfer instructions.
  • FIG. 5 shows a secure wire transfer method 500, according to an embodiment of the disclosure, that may incorporate interface 400. Portions of interface 400 that are used within method 500 are described in the context of method 500 below.
  • the user may launch the secure wire transfer interface 400, for example by selecting an option presented within the secure browser after process 300 provides access as described above.
  • Server 124 may present interface 400 to the user.
  • interface 400 may be an FITML or other interface that is specific to the user who has logged in.
  • Interface 400 may be configured to capture information that may be used to initiate wire instruction(s) to buyer/wire senders. These wire instructions may be made available to the buyer/wire senders via a wire transfer app (e.g., Android/iOS app), as described below.
  • Information collected through interface 400 may be parsed and stored in server 124 and/or may be sent to other services depending on the information needed throughout the authentication steps of the wire transfer app, for example.
  • the wire transfer instructions may be configured.
  • a user may be able to select an option to create a new notice 402 or, for one or more existing notices 404 that may be displayed, an option to edit the existing notice 406.
  • interface 400 may display a form 420.
  • Form 420 may include one or more selectable options and/or tillable fields for gathering information that may be used to prepare wire transfer instructions.
  • form 420 may be configured to receive information identifying the sender (e.g., sender name, phone number, etc.), a purpose for the wire transfer, an amount to be transferred, information identifying the recipient (e.g., agent name, company name, account number, escrow number or other identifier, email address, phone number, etc.), authentication information (e.g., a code word such as the combination of shoe size and eye color shown in FIG. 4B or another code word), and/or other options.
  • a user may enter such information and then select a send option 422 to advance process 500.
  • server 124 may generate and send a message to the sender identified at 504.
  • the message may be an SMS text message, MMS text message, or other message sent to the phone number of the sender entered into form 420.
  • the message may include instructions to obtain or launch the wire transfer app.
  • the message may include a one-time passcode automatically generated by server 124, such as a sequence of numbers and/or letters.
  • the one-time passcode may expire after a prescribed length of time, and this prescribed length of time may be indicated in the message in some cases.
  • a message may read as follows, with information in parentheses being entered through form 420 and/or automatically generated by server 124. "(Agent name) from (company name) has sent you payment information. Your one-time secure code is (one-time passcode). This code will expire in (prescribed length of time) Please go to the (name of app) to view instructions. (Name of app) is available in your device's app store.”
  • a sender client device configured to receive messages sent to the phone number used at 506 may receive the message (e.g., the SMS or MMS message).
  • the text message may deliberately omit URL links to locations from which the app can be downloaded and/or to the app itself. The lack of links may minimize the potential for fraudsters to mimic the process and thereby convey fraudulent wire instructions to senders.
  • the user of the sender client device may download and install the app as instructed in the text message if the app is not already present on the device. After installation, or if the app is already present, the user may launch the app.
  • the app may be launched in the sender client device and may present a user interface.
  • the user interface may include a field for entering security elements such as the one-time passcode and the code word specified at 504. In some embodiments, these may be entered on a same page, and in other embodiments, a user may enter one of these elements first and then, after that element is verified by the app, enter the second element.
  • the code word may be known to the user of the app based on verbal communication with the user of interface 400, but may not be communicated electronically at any point in process 500, thereby minimizing the potential for fraudsters to mimic the process and thereby convey fraudulent wire instructions to senders.
  • the app may authenticate the information entered by the user. In some embodiments, this may include the client device communicating with server 124 by one or more networks to match the one- time passcode against an entry in a database maintained by server 124.
  • the database may specify an active one-time passcode associated with the message sent to the client device and the account of the user who configured the wire transfer instructions at 504. If the passcodes match, server 124 may also compare the code word entered into the app to the code word specified at 504. If these code words match, process 500 may continue. If not, the app may offer repeat opportunities to enter the code word in some embodiments. After a certain number of repeat attempts without success, the app may present a message directing the user to communicate directly with the recipient (e.g., by phone or in person) to receive wire instructions.
  • server 124 may send wire instructions configured at 504 to the sender client device.
  • the sender client device may display the instructions, which may be accessed, printed, and/or emailed from the app in some embodiments.
  • the user may use the instructions to wire the money according to the instructions through a banking app or other money wiring system or method of their choice.
  • the wire transfer may be confirmed.
  • server 140 may analyze incoming wire transfers to the account of the user of interface 400. Server 140 may compare information included in incoming wire transfers (e.g., escrow number or other identifier) to equivalent information (e.g., escrow number or other identifier) entered at 504. In response to detecting a positive match, server 140 may determine that the wire transfer is complete. Server 140 may notify the receiver user through interface 400 and/or may send a confirmation message (e.g., SMS or MMS message) to the sender client device to notify the sender that the transfer is complete.
  • a confirmation message e.g., SMS or MMS message
  • interface 400 may include an archive option 408 selectable from the list of existing notices 404 (e.g., FIG. 4A) and/or from the form 420 for a notice (e.g., FIG. 4B). Selection of the archive option 408 may trigger server 140 to perform a closure of the wire instructions. This may cause the sender's app to enter a "need authentication" state requiring a new one-time passcode since there may be no active wire Instructions for the sender to access.
  • an archive option 408 selectable from the list of existing notices 404 (e.g., FIG. 4A) and/or from the form 420 for a notice (e.g., FIG. 4B). Selection of the archive option 408 may trigger server 140 to perform a closure of the wire instructions. This may cause the sender's app to enter a "need authentication" state requiring a new one-time passcode since there may be no active wire Instructions for the sender to access.
  • Process 500 has been presented as being performed, in part, through the use of interface 400 which is accessible through the secure browser described above. Accordingly, access to interface 400 and performance of process 500 may be restricted to cases wherein process 300 has been successfully performed and access to the secure browser has been thereby granted. Flowever, in alternate embodiments, it may be possible to perform process 500 (including, in some embodiments, presenting and using interface 400) without first performing process 300. For example, access to interface 400 may be enable through other access, login, and/or verification techniques.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • General Health & Medical Sciences (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

Selon la présente invention, un serveur peut comprendre au moins un processeur de serveur conçu pour exécuter une application. Un système de virtualisation de bureau peut comprendre au moins un processeur de virtualisation de bureau. Le processeur de virtualisation de bureau peut être conçu pour instancier un bureau virtuel ; authentifier un utilisateur d'un dispositif client ; en réponse à l'authentification de l'utilisateur du dispositif client, placer le dispositif client en communication avec le bureau virtuel par l'intermédiaire d'au moins un réseau ; lancer un navigateur sécurisé dans le bureau virtuel ; et utiliser le navigateur sécurisé, placer le dispositif client en communication avec le serveur par l'intermédiaire d'au moins un réseau. L'application peut être conçue pour effectuer un traitement en réponse à au moins une commande provenant du dispositif client. Le traitement peut comprendre la génération d'un mot de passe à usage unique, l'établissement d'un mot de code non communiqué par l'intermédiaire du ou des réseaux, et l'envoi d'un message comprenant le mot de passe à usage unique à un dispositif client expéditeur.
EP19941557.1A 2019-08-12 2019-08-12 Systèmes et procédés d'authentification en ligne Pending EP4014459A4 (fr)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/US2019/046137 WO2021029865A1 (fr) 2019-08-12 2019-08-12 Systèmes et procédés d'authentification en ligne

Publications (2)

Publication Number Publication Date
EP4014459A1 true EP4014459A1 (fr) 2022-06-22
EP4014459A4 EP4014459A4 (fr) 2023-05-03

Family

ID=74570685

Family Applications (1)

Application Number Title Priority Date Filing Date
EP19941557.1A Pending EP4014459A4 (fr) 2019-08-12 2019-08-12 Systèmes et procédés d'authentification en ligne

Country Status (2)

Country Link
EP (1) EP4014459A4 (fr)
WO (1) WO2021029865A1 (fr)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022240384A1 (fr) * 2021-05-10 2022-11-17 Hewlett-Packard Development Company, L.P. Kits d'impression en trois dimensions

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080040262A1 (en) * 2006-08-10 2008-02-14 Integra Micro Systems (P) Ltd Voice authenticated financial transaction
US8281375B2 (en) * 2007-01-05 2012-10-02 Ebay Inc. One time password authentication of websites
US8799666B2 (en) * 2009-10-06 2014-08-05 Synaptics Incorporated Secure user authentication using biometric information
US8370899B2 (en) * 2010-08-11 2013-02-05 Emc Corporation Disposable browser for commercial banking
US8694993B1 (en) * 2011-03-31 2014-04-08 Emc Corporation Virtualization platform for secured communications between a user device and an application server
US8701174B1 (en) * 2011-09-27 2014-04-15 Emc Corporation Controlling access to a protected resource using a virtual desktop and ongoing authentication
KR20150053663A (ko) * 2013-11-08 2015-05-18 김주한 이동통신단말기를 이용한 다채널 인증과 금융 이체 방법 및 시스템
US11936646B2 (en) * 2018-02-13 2024-03-19 Axos Bank Online authentication systems and methods

Also Published As

Publication number Publication date
WO2021029865A1 (fr) 2021-02-18
EP4014459A4 (fr) 2023-05-03

Similar Documents

Publication Publication Date Title
US11777923B2 (en) Online authentication systems and methods
US8869238B2 (en) Authentication using a turing test to block automated attacks
US11625720B2 (en) Secure in-line payments for rich internet applications
EP3195108B1 (fr) Système et procédé pour intégrer un service d'authentification à l'intérieur d'une architecture de réseau
EP3022867B1 (fr) Procéde d'authentification forte
US20110265156A1 (en) Portable security device protection against keystroke loggers
US20090006232A1 (en) Secure computer and internet transaction software and hardware and uses thereof
EP2343678A1 (fr) Procédés et systèmes de transaction sécurisée
TR201810238T4 (tr) Bir mobil kimlik doğrulama uygulaması kullanarak kullanıcıya uygun kimlik doğrulama yöntemi ve aparatı.
US10735436B1 (en) Dynamic display capture to verify encoded visual codes and network address information
US20130104220A1 (en) System and method for implementing a secure USB application device
US10373135B2 (en) System and method for performing secure online banking transactions
US11936646B2 (en) Online authentication systems and methods
US12184641B1 (en) Secure computer-implemented authentication
US20130031000A1 (en) System and Method for Detecting Fraudulent Financial Transactions
US12034765B1 (en) Securing network access with legacy computers
US20130151411A1 (en) Digital authentication and security method and system
Abiodun et al. Securing digital transaction using a three-level authentication system
US12095762B2 (en) Systems and methods for multi-stage, biometric-based, digital authentication
EP4014459A1 (fr) Systèmes et procédés d'authentification en ligne
EP3570518B1 (fr) Systeme et procede d'authentification utilisant un jeton a usage unique de duree limitee
EP2813962B1 (fr) Méthode de contrôle d'accès à un type de services spécifique et dispositif d'authentification pour le contrôle de l'accès à un tel type de services.
TWI648688B (zh) 交叉驗證轉帳方法及系統
US12615263B1 (en) Token to secure network access
US12021860B2 (en) Systems and methods for multi-stage, identity-based, digital authentication

Legal Events

Date Code Title Description
STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE INTERNATIONAL PUBLICATION HAS BEEN MADE

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20220303

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

DAV Request for validation of the european patent (deleted)
DAX Request for extension of the european patent (deleted)
REG Reference to a national code

Ref country code: DE

Ref legal event code: R079

Free format text: PREVIOUS MAIN CLASS: H04L0029060000

Ipc: H04L0009400000

A4 Supplementary search report drawn up and despatched

Effective date: 20230403

RIC1 Information provided on ipc code assigned before grant

Ipc: G06F 9/451 20180101ALI20230328BHEP

Ipc: H04L 9/40 20220101AFI20230328BHEP